While cyber-attacks on large financial institutions tend to garner the most attention, smaller community-based financial businesses are experiencing attempted breaches more often these days from hacktivists and cyber gangs to organized crime and unfriendly nation-states. That includes regional banks, credit unions and credit card processors.
The issues faced by many of the smaller financial institutions are budgetary constraints to allocating capital to enhancing cyber security. Larger institutions typically have more money to spend on cyber security than the smaller firms. Furthermore, “as the cost of technology decreases, the barriers to entry for cyber-crime drop, making it easier and cheaper for criminals of all types to seek out new ways to perpetrate cyber fraud. A growing black market for breached data serves to encourage wrongdoers further, according to the New York State Department of Financial Security.
An issue faced by many firms, regardless of size and even industry, is the interconnectedness of cyber systems. As Daimon Geopfert, principal of Risk Advisory Services at McGladrey says, “as you would guess, it’s a little bit nuanced. What we try to coax a lot of our [private equity] clients into thinking is there is the security at the fund level itself, at the portfolio level and then the interaction between the two.”
When it comes to what information cyber-attackers are after account takeovers, identity theft, telecommunications network disruptions and data integrity breaches top the list.
In terms of how attackers are infiltrating financial institutions a recent report showed how an international band of cyber crooks broke into banks’ internal systems rather than targeting customers. The report, by Moscow-based security firm Kaspersky Lab, “said it found evidence that hackers have stolen up to $1 billion from 100 banks across 30 countries this way,” according to USA Today.
Does all of this mean consumers should be fearful of working with local financial institutions? The answer is no. Generally speaking, smaller outfits are instituting a variety of security protocols, such as anti-virus software, encryption tools and firewalls. The DFS also recommends smaller institutions take advantage of services and products available at relatively little cost, such as information-sharing and analysis resources. Furthermore, a greater percentage of smaller institutions have external insurance coverage to help manage cyber security risk than do medium- and larger-sized brethren.
“Although the issue of limited resources will continue to plague small institutions in particular, the amount of money spent on a cyber program is by no means the best reflection of its strength. Costly software that is rarely updated, deployed in an ineffective manner, or fails to take into account social engineering does little to contribute to an institution’s cyber program. Much more relevant is an institution’s ability to identify its top cyber risks and design a program around those risks.”
On an individual level, Geopfert reminds us to always know where his or her data is located and who has access to it. “When you’re talking about where the most common areas of failure are – people, by far. The biggest data breaches of all time are people leaving laptops in the backs of taxis. That still happens.”